Chatgpt On Wechat Cowagent
Monthly
Authentication bypass in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows remote unauthenticated attackers to manipulate the Agent Mode Service component, resulting in missing authentication checks (CWE-306). Publicly available exploit code exists, and the vulnerability has been reported to the project without response. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact with network-accessible attack vector and no user interaction required.
Missing authentication in zhayujie chatgpt-on-wechat CowAgent 2.0.4 administrative HTTP endpoint allows remote attackers to bypass access controls and perform unauthorized administrative operations without credentials. Publicly available exploit code exists. EPSS risk not available; CVSS 7.3 reflects network-based attack requiring no privileges or user interaction. The vendor has not responded to the vulnerability disclosure (GitHub issue #2733) at time of analysis.
Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.
Authentication bypass in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows remote unauthenticated attackers to manipulate the Agent Mode Service component, resulting in missing authentication checks (CWE-306). Publicly available exploit code exists, and the vulnerability has been reported to the project without response. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact with network-accessible attack vector and no user interaction required.
Missing authentication in zhayujie chatgpt-on-wechat CowAgent 2.0.4 administrative HTTP endpoint allows remote attackers to bypass access controls and perform unauthorized administrative operations without credentials. Publicly available exploit code exists. EPSS risk not available; CVSS 7.3 reflects network-based attack requiring no privileges or user interaction. The vendor has not responded to the vulnerability disclosure (GitHub issue #2733) at time of analysis.
Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.